exim: dropping spam based on score threshold?

[jnagro]

I've made exim servers deny spam based on a score threshold, ie if the score is above X dont accept the message (deny) or :fail: it. I've poked around the cpanel config and its perl functions but i'm having a hard time adding it. Does anyone know where/how i can do that? I'm assuming ClamAV also won't accept malware? (deny? or :fail:?)

[jnagro]

i added this to the 'check_message' acl:

Code:

deny message = Spam score too high ($spam_score)
    spam = mailnull:true/defer_ok
    condition = ${if >{$spam_score_int}{150}{1}{0}}

which will deny any mail with a spam score of 15 or higher (fyi: exim will do something like score * 10 = 150, hence the 150)

[mickalo]

Quote:

Originally Posted by jnagro

i added this to the 'check_message' acl:

Code:

deny message = Spam score too high ($spam_score)
    spam = mailnull:true/defer_ok
    condition = ${if >{$spam_score_int}{150}{1}{0}}

which will deny any mail with a spam score of 15 or higher (fyi: exim will do something like score * 10 = 150, hence the 150)

very handy Added it through the Exim Editor and watched the log file. seems to work quiet nicely:

Code:

tail -f /var/log/exim_rejectlog | grep "Spam score too high"

2006-12-05 15:45:56 1Gri6o-0006Os-Qa H=(dsl85-98-16622.ttnet.net.tr) [85.98.64.238] F=<unfulfilledtambourines@abwc.com> rejected after DATA: Spam score too high (17.0)
2006-12-05 15:47:12 1Gri7z-0006Rg-I5 H=foreaud.classcom.pl [195.150.77.145] F=<sadvoipreadinessuni@voipreadiness.com> rejected after DATA: Spam score too high (17.8)
2006-12-05 15:47:36 1Gri8M-0006T5-03 H=foreaud.classcom.pl [195.150.77.145] F=<sadxinergistixuni@xinergistix.com> rejected after DATA: Spam score too high (22.2)

Thx's
Mickalo

[alan-tor]

Does :fail: work when specified in cPanel's "E-mail Filtering"?

I've created mail filters in cPanel's "E-mail Filtering", called "Filter Maintenance" once you're on that page. I set spam above a certain score to "Discard", but I wonder if :fail: would work there.

Actually, I'm wondering how this can work or how the original poster's idea can work. Presumably mail must first be received at the server in order to be scanned by SpamAssassin. So how can it be set to :fail: when it has already been received?

[nxds]

Quote:

Originally Posted by jnagro

i added this to the 'check_message' acl:

Code:

deny message = Spam score too high ($spam_score)
    spam = mailnull:true/defer_ok
    condition = ${if >{$spam_score_int}{150}{1}{0}}

which will deny any mail with a spam score of 15 or higher (fyi: exim will do something like score * 10 = 150, hence the 150)

That rocks my world. Thx

[serversphere]

Be sure you add this through the Exim configuration editor in WHM. Adding this by editing the exim.conf file directly will cause cPanel to overwrite it the next time it updates.

[kdarray]

thanks jnagro for this short and sweet tip

[alwaysweb]

Simple little addin to exim config, thanks!

[alan-tor]

Can someone please explain how this works?

Presumably mail must first be received at the server in order to be scanned by SpamAssassin. So how can it be set to :fail: when it has already been received?

[nxds]

Quote:

Originally Posted by alanvox

Can someone please explain how this works?

Presumably mail must first be received at the server in order to be scanned by SpamAssassin. So how can it be set to :fail: when it has already been received?

The SMTP conversation isn't completed until the DATA verb is OK'd by the receiving server. In this test, the SA score is calculated after receiving the DATA section, and if too high the message is rejected, if not it is accepted into the queue for delivery. Rejecting the mail during any part of the SMTP conversation is a :fail: action and the sending server is responsible for any NDR, not yours.

[alan-tor]

Since SpamAssassin will scan the message and the message will be :fail:ed before being actually received, is it then possible to do this also for cPanel mail forwarders? I'd love to be able to have SpamAssassin work on mail forwarders rather than just on mail accounts.

[delsurf]

Nice add!! I just installed it and it seems to be working great... I lowered the threshold to 80 though. Hopefully someone can find a way to do this for emails with forwarders.

Thanks again for the script config!

[sds1az]

Yes indeed, very impressive, I put this in last night and checked my logs this morning and was stunned at how effective this is working. I highly recommend everyone to add this to their exim config, thanks for the tip jnagro!

[simplybe]

Hi,
Trying it now
Thanks

[alan-tor]

Has anyone discovered whether this also works for cPanel mail forwarders?

Since SpamAssassin will scan the message and the message will be :fail:ed before being actually received, then it would seem that it should work for mail forwarders.

I'd love to be able to have SpamAssassin work on mail forwarders as well as on mail accounts.